wolf SSL / wolfSSL

wolfSSL SSL/TLS library, support up to TLS1.3

Dependents:   CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more

wolfcrypt/src/ed25519.c@7:481bce714567, 2017-05-02 (annotated)

Committer:
wolfSSL
Date:
Tue May 02 08:44:47 2017 +0000
Revision:
7:481bce714567
wolfSSL3.10.2

Who changed what in which revision?

UserRevisionLine numberNew contents of line
wolfSSL 7:481bce714567 1 /* ed25519.c
wolfSSL 7:481bce714567 2 *
wolfSSL 7:481bce714567 3 * Copyright (C) 2006-2016 wolfSSL Inc.
wolfSSL 7:481bce714567 4 *
wolfSSL 7:481bce714567 5 * This file is part of wolfSSL.
wolfSSL 7:481bce714567 6 *
wolfSSL 7:481bce714567 7 * wolfSSL is free software; you can redistribute it and/or modify
wolfSSL 7:481bce714567 8 * it under the terms of the GNU General Public License as published by
wolfSSL 7:481bce714567 9 * the Free Software Foundation; either version 2 of the License, or
wolfSSL 7:481bce714567 10 * (at your option) any later version.
wolfSSL 7:481bce714567 11 *
wolfSSL 7:481bce714567 12 * wolfSSL is distributed in the hope that it will be useful,
wolfSSL 7:481bce714567 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL 7:481bce714567 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL 7:481bce714567 15 * GNU General Public License for more details.
wolfSSL 7:481bce714567 16 *
wolfSSL 7:481bce714567 17 * You should have received a copy of the GNU General Public License
wolfSSL 7:481bce714567 18 * along with this program; if not, write to the Free Software
wolfSSL 7:481bce714567 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL 7:481bce714567 20 */
wolfSSL 7:481bce714567 21
wolfSSL 7:481bce714567 22
wolfSSL 7:481bce714567 23 /* Based On Daniel J Bernstein's ed25519 Public Domain ref10 work. */
wolfSSL 7:481bce714567 24
wolfSSL 7:481bce714567 25 #ifdef HAVE_CONFIG_H
wolfSSL 7:481bce714567 26 #include <config.h>
wolfSSL 7:481bce714567 27 #endif
wolfSSL 7:481bce714567 28
wolfSSL 7:481bce714567 29 /* in case user set HAVE_ED25519 there */
wolfSSL 7:481bce714567 30 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 7:481bce714567 31
wolfSSL 7:481bce714567 32 #ifdef HAVE_ED25519
wolfSSL 7:481bce714567 33
wolfSSL 7:481bce714567 34 #include <wolfssl/wolfcrypt/ed25519.h>
wolfSSL 7:481bce714567 35 #include <wolfssl/wolfcrypt/error-crypt.h>
wolfSSL 7:481bce714567 36 #include <wolfssl/wolfcrypt/hash.h>
wolfSSL 7:481bce714567 37 #ifdef NO_INLINE
wolfSSL 7:481bce714567 38 #include <wolfssl/wolfcrypt/misc.h>
wolfSSL 7:481bce714567 39 #else
wolfSSL 7:481bce714567 40 #define WOLFSSL_MISC_INCLUDED
wolfSSL 7:481bce714567 41 #include <wolfcrypt/src/misc.c>
wolfSSL 7:481bce714567 42 #endif
wolfSSL 7:481bce714567 43
wolfSSL 7:481bce714567 44 #ifdef FREESCALE_LTC_ECC
wolfSSL 7:481bce714567 45 #include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h>
wolfSSL 7:481bce714567 46 #endif
wolfSSL 7:481bce714567 47
wolfSSL 7:481bce714567 48 /* generate an ed25519 key pair.
wolfSSL 7:481bce714567 49 * returns 0 on success
wolfSSL 7:481bce714567 50 */
wolfSSL 7:481bce714567 51 int wc_ed25519_make_key(WC_RNG* rng, int keySz, ed25519_key* key)
wolfSSL 7:481bce714567 52 {
wolfSSL 7:481bce714567 53 byte az[ED25519_PRV_KEY_SIZE];
wolfSSL 7:481bce714567 54 int ret;
wolfSSL 7:481bce714567 55 #if !defined(FREESCALE_LTC_ECC)
wolfSSL 7:481bce714567 56 ge_p3 A;
wolfSSL 7:481bce714567 57 #endif
wolfSSL 7:481bce714567 58
wolfSSL 7:481bce714567 59 if (rng == NULL || key == NULL)
wolfSSL 7:481bce714567 60 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 61
wolfSSL 7:481bce714567 62 /* ed25519 has 32 byte key sizes */
wolfSSL 7:481bce714567 63 if (keySz != ED25519_KEY_SIZE)
wolfSSL 7:481bce714567 64 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 65
wolfSSL 7:481bce714567 66 ret = wc_RNG_GenerateBlock(rng, key->k, ED25519_KEY_SIZE);
wolfSSL 7:481bce714567 67 if (ret != 0)
wolfSSL 7:481bce714567 68 return ret;
wolfSSL 7:481bce714567 69 ret = wc_Sha512Hash(key->k, ED25519_KEY_SIZE, az);
wolfSSL 7:481bce714567 70 if (ret != 0) {
wolfSSL 7:481bce714567 71 ForceZero(key->k, ED25519_KEY_SIZE);
wolfSSL 7:481bce714567 72 return ret;
wolfSSL 7:481bce714567 73 }
wolfSSL 7:481bce714567 74
wolfSSL 7:481bce714567 75 /* apply clamp */
wolfSSL 7:481bce714567 76 az[0] &= 248;
wolfSSL 7:481bce714567 77 az[31] &= 63; /* same than az[31] &= 127 because of az[31] |= 64 */
wolfSSL 7:481bce714567 78 az[31] |= 64;
wolfSSL 7:481bce714567 79
wolfSSL 7:481bce714567 80 #ifdef FREESCALE_LTC_ECC
wolfSSL 7:481bce714567 81 ltc_pkha_ecc_point_t publicKey = {0};
wolfSSL 7:481bce714567 82 publicKey.X = key->pointX;
wolfSSL 7:481bce714567 83 publicKey.Y = key->pointY;
wolfSSL 7:481bce714567 84 LTC_PKHA_Ed25519_PointMul(LTC_PKHA_Ed25519_BasePoint(), az, ED25519_KEY_SIZE, &publicKey, kLTC_Ed25519 /* result on Ed25519 */);
wolfSSL 7:481bce714567 85 LTC_PKHA_Ed25519_Compress(&publicKey, key->p);
wolfSSL 7:481bce714567 86 #else
wolfSSL 7:481bce714567 87 ge_scalarmult_base(&A, az);
wolfSSL 7:481bce714567 88 ge_p3_tobytes(key->p, &A);
wolfSSL 7:481bce714567 89 #endif
wolfSSL 7:481bce714567 90 /* put public key after private key, on the same buffer */
wolfSSL 7:481bce714567 91 XMEMMOVE(key->k + ED25519_KEY_SIZE, key->p, ED25519_PUB_KEY_SIZE);
wolfSSL 7:481bce714567 92
wolfSSL 7:481bce714567 93 return ret;
wolfSSL 7:481bce714567 94 }
wolfSSL 7:481bce714567 95
wolfSSL 7:481bce714567 96
wolfSSL 7:481bce714567 97 #ifdef HAVE_ED25519_SIGN
wolfSSL 7:481bce714567 98 /*
wolfSSL 7:481bce714567 99 in contains the message to sign
wolfSSL 7:481bce714567 100 inlen is the length of the message to sign
wolfSSL 7:481bce714567 101 out is the buffer to write the signature
wolfSSL 7:481bce714567 102 outLen [in/out] input size of out buf
wolfSSL 7:481bce714567 103 output gets set as the final length of out
wolfSSL 7:481bce714567 104 key is the ed25519 key to use when signing
wolfSSL 7:481bce714567 105 return 0 on success
wolfSSL 7:481bce714567 106 */
wolfSSL 7:481bce714567 107 int wc_ed25519_sign_msg(const byte* in, word32 inlen, byte* out,
wolfSSL 7:481bce714567 108 word32 *outLen, ed25519_key* key)
wolfSSL 7:481bce714567 109 {
wolfSSL 7:481bce714567 110 #ifdef FREESCALE_LTC_ECC
wolfSSL 7:481bce714567 111 byte tempBuf[ED25519_PRV_KEY_SIZE];
wolfSSL 7:481bce714567 112 #else
wolfSSL 7:481bce714567 113 ge_p3 R;
wolfSSL 7:481bce714567 114 #endif
wolfSSL 7:481bce714567 115 byte nonce[SHA512_DIGEST_SIZE];
wolfSSL 7:481bce714567 116 byte hram[SHA512_DIGEST_SIZE];
wolfSSL 7:481bce714567 117 byte az[ED25519_PRV_KEY_SIZE];
wolfSSL 7:481bce714567 118 Sha512 sha;
wolfSSL 7:481bce714567 119 int ret;
wolfSSL 7:481bce714567 120
wolfSSL 7:481bce714567 121 /* sanity check on arguments */
wolfSSL 7:481bce714567 122 if (in == NULL || out == NULL || outLen == NULL || key == NULL)
wolfSSL 7:481bce714567 123 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 124
wolfSSL 7:481bce714567 125 /* check and set up out length */
wolfSSL 7:481bce714567 126 if (*outLen < ED25519_SIG_SIZE) {
wolfSSL 7:481bce714567 127 *outLen = ED25519_SIG_SIZE;
wolfSSL 7:481bce714567 128 return BUFFER_E;
wolfSSL 7:481bce714567 129 }
wolfSSL 7:481bce714567 130 *outLen = ED25519_SIG_SIZE;
wolfSSL 7:481bce714567 131
wolfSSL 7:481bce714567 132 /* step 1: create nonce to use where nonce is r in
wolfSSL 7:481bce714567 133 r = H(h_b, ... ,h_2b-1,M) */
wolfSSL 7:481bce714567 134 ret = wc_Sha512Hash(key->k, ED25519_KEY_SIZE, az);
wolfSSL 7:481bce714567 135 if (ret != 0)
wolfSSL 7:481bce714567 136 return ret;
wolfSSL 7:481bce714567 137
wolfSSL 7:481bce714567 138 /* apply clamp */
wolfSSL 7:481bce714567 139 az[0] &= 248;
wolfSSL 7:481bce714567 140 az[31] &= 63; /* same than az[31] &= 127 because of az[31] |= 64 */
wolfSSL 7:481bce714567 141 az[31] |= 64;
wolfSSL 7:481bce714567 142
wolfSSL 7:481bce714567 143 ret = wc_InitSha512(&sha);
wolfSSL 7:481bce714567 144 if (ret != 0)
wolfSSL 7:481bce714567 145 return ret;
wolfSSL 7:481bce714567 146 ret = wc_Sha512Update(&sha, az + ED25519_KEY_SIZE, ED25519_KEY_SIZE);
wolfSSL 7:481bce714567 147 if (ret != 0)
wolfSSL 7:481bce714567 148 return ret;
wolfSSL 7:481bce714567 149 ret = wc_Sha512Update(&sha, in, inlen);
wolfSSL 7:481bce714567 150 if (ret != 0)
wolfSSL 7:481bce714567 151 return ret;
wolfSSL 7:481bce714567 152 ret = wc_Sha512Final(&sha, nonce);
wolfSSL 7:481bce714567 153 if (ret != 0)
wolfSSL 7:481bce714567 154 return ret;
wolfSSL 7:481bce714567 155
wolfSSL 7:481bce714567 156 #ifdef FREESCALE_LTC_ECC
wolfSSL 7:481bce714567 157 ltc_pkha_ecc_point_t ltcPoint = {0};
wolfSSL 7:481bce714567 158 ltcPoint.X = &tempBuf[0];
wolfSSL 7:481bce714567 159 ltcPoint.Y = &tempBuf[32];
wolfSSL 7:481bce714567 160 LTC_PKHA_sc_reduce(nonce);
wolfSSL 7:481bce714567 161 LTC_PKHA_Ed25519_PointMul(LTC_PKHA_Ed25519_BasePoint(), nonce, ED25519_KEY_SIZE, &ltcPoint, kLTC_Ed25519 /* result on Ed25519 */);
wolfSSL 7:481bce714567 162 LTC_PKHA_Ed25519_Compress(&ltcPoint, out);
wolfSSL 7:481bce714567 163 #else
wolfSSL 7:481bce714567 164 sc_reduce(nonce);
wolfSSL 7:481bce714567 165
wolfSSL 7:481bce714567 166 /* step 2: computing R = rB where rB is the scalar multiplication of
wolfSSL 7:481bce714567 167 r and B */
wolfSSL 7:481bce714567 168 ge_scalarmult_base(&R,nonce);
wolfSSL 7:481bce714567 169 ge_p3_tobytes(out,&R);
wolfSSL 7:481bce714567 170 #endif
wolfSSL 7:481bce714567 171
wolfSSL 7:481bce714567 172 /* step 3: hash R + public key + message getting H(R,A,M) then
wolfSSL 7:481bce714567 173 creating S = (r + H(R,A,M)a) mod l */
wolfSSL 7:481bce714567 174 ret = wc_InitSha512(&sha);
wolfSSL 7:481bce714567 175 if (ret != 0)
wolfSSL 7:481bce714567 176 return ret;
wolfSSL 7:481bce714567 177 ret = wc_Sha512Update(&sha, out, ED25519_SIG_SIZE/2);
wolfSSL 7:481bce714567 178 if (ret != 0)
wolfSSL 7:481bce714567 179 return ret;
wolfSSL 7:481bce714567 180 ret = wc_Sha512Update(&sha, key->p, ED25519_PUB_KEY_SIZE);
wolfSSL 7:481bce714567 181 if (ret != 0)
wolfSSL 7:481bce714567 182 return ret;
wolfSSL 7:481bce714567 183 ret = wc_Sha512Update(&sha, in, inlen);
wolfSSL 7:481bce714567 184 if (ret != 0)
wolfSSL 7:481bce714567 185 return ret;
wolfSSL 7:481bce714567 186 ret = wc_Sha512Final(&sha, hram);
wolfSSL 7:481bce714567 187 if (ret != 0)
wolfSSL 7:481bce714567 188 return ret;
wolfSSL 7:481bce714567 189
wolfSSL 7:481bce714567 190 #ifdef FREESCALE_LTC_ECC
wolfSSL 7:481bce714567 191 LTC_PKHA_sc_reduce(hram);
wolfSSL 7:481bce714567 192 LTC_PKHA_sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce);
wolfSSL 7:481bce714567 193 #else
wolfSSL 7:481bce714567 194 sc_reduce(hram);
wolfSSL 7:481bce714567 195 sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce);
wolfSSL 7:481bce714567 196 #endif
wolfSSL 7:481bce714567 197
wolfSSL 7:481bce714567 198 return ret;
wolfSSL 7:481bce714567 199 }
wolfSSL 7:481bce714567 200
wolfSSL 7:481bce714567 201 #endif /* HAVE_ED25519_SIGN */
wolfSSL 7:481bce714567 202
wolfSSL 7:481bce714567 203 #ifdef HAVE_ED25519_VERIFY
wolfSSL 7:481bce714567 204
wolfSSL 7:481bce714567 205 /*
wolfSSL 7:481bce714567 206 sig is array of bytes containing the signature
wolfSSL 7:481bce714567 207 siglen is the length of sig byte array
wolfSSL 7:481bce714567 208 msg the array of bytes containing the message
wolfSSL 7:481bce714567 209 msglen length of msg array
wolfSSL 7:481bce714567 210 stat will be 1 on successful verify and 0 on unsuccessful
wolfSSL 7:481bce714567 211 return 0 and stat of 1 on success
wolfSSL 7:481bce714567 212 */
wolfSSL 7:481bce714567 213 int wc_ed25519_verify_msg(byte* sig, word32 siglen, const byte* msg,
wolfSSL 7:481bce714567 214 word32 msglen, int* stat, ed25519_key* key)
wolfSSL 7:481bce714567 215 {
wolfSSL 7:481bce714567 216 byte rcheck[ED25519_KEY_SIZE];
wolfSSL 7:481bce714567 217 byte h[SHA512_DIGEST_SIZE];
wolfSSL 7:481bce714567 218 #ifndef FREESCALE_LTC_ECC
wolfSSL 7:481bce714567 219 ge_p3 A;
wolfSSL 7:481bce714567 220 ge_p2 R;
wolfSSL 7:481bce714567 221 #endif
wolfSSL 7:481bce714567 222 int ret;
wolfSSL 7:481bce714567 223 Sha512 sha;
wolfSSL 7:481bce714567 224
wolfSSL 7:481bce714567 225 /* sanity check on arguments */
wolfSSL 7:481bce714567 226 if (sig == NULL || msg == NULL || stat == NULL || key == NULL)
wolfSSL 7:481bce714567 227 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 228
wolfSSL 7:481bce714567 229 /* set verification failed by default */
wolfSSL 7:481bce714567 230 *stat = 0;
wolfSSL 7:481bce714567 231
wolfSSL 7:481bce714567 232 /* check on basics needed to verify signature */
wolfSSL 7:481bce714567 233 if (siglen < ED25519_SIG_SIZE || (sig[ED25519_SIG_SIZE-1] & 224))
wolfSSL 7:481bce714567 234 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 235
wolfSSL 7:481bce714567 236 /* uncompress A (public key), test if valid, and negate it */
wolfSSL 7:481bce714567 237 #ifndef FREESCALE_LTC_ECC
wolfSSL 7:481bce714567 238 if (ge_frombytes_negate_vartime(&A, key->p) != 0)
wolfSSL 7:481bce714567 239 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 240 #endif
wolfSSL 7:481bce714567 241
wolfSSL 7:481bce714567 242 /* find H(R,A,M) and store it as h */
wolfSSL 7:481bce714567 243 ret = wc_InitSha512(&sha);
wolfSSL 7:481bce714567 244 if (ret != 0)
wolfSSL 7:481bce714567 245 return ret;
wolfSSL 7:481bce714567 246 ret = wc_Sha512Update(&sha, sig, ED25519_SIG_SIZE/2);
wolfSSL 7:481bce714567 247 if (ret != 0)
wolfSSL 7:481bce714567 248 return ret;
wolfSSL 7:481bce714567 249 ret = wc_Sha512Update(&sha, key->p, ED25519_PUB_KEY_SIZE);
wolfSSL 7:481bce714567 250 if (ret != 0)
wolfSSL 7:481bce714567 251 return ret;
wolfSSL 7:481bce714567 252 ret = wc_Sha512Update(&sha, msg, msglen);
wolfSSL 7:481bce714567 253 if (ret != 0)
wolfSSL 7:481bce714567 254 return ret;
wolfSSL 7:481bce714567 255 ret = wc_Sha512Final(&sha, h);
wolfSSL 7:481bce714567 256 if (ret != 0)
wolfSSL 7:481bce714567 257 return ret;
wolfSSL 7:481bce714567 258
wolfSSL 7:481bce714567 259 #ifdef FREESCALE_LTC_ECC
wolfSSL 7:481bce714567 260 LTC_PKHA_sc_reduce(h);
wolfSSL 7:481bce714567 261 LTC_PKHA_SignatureForVerify(rcheck, h, sig + (ED25519_SIG_SIZE/2), key);
wolfSSL 7:481bce714567 262 #else
wolfSSL 7:481bce714567 263 sc_reduce(h);
wolfSSL 7:481bce714567 264
wolfSSL 7:481bce714567 265 /*
wolfSSL 7:481bce714567 266 Uses a fast single-signature verification SB = R + H(R,A,M)A becomes
wolfSSL 7:481bce714567 267 SB - H(R,A,M)A saving decompression of R
wolfSSL 7:481bce714567 268 */
wolfSSL 7:481bce714567 269 ret = ge_double_scalarmult_vartime(&R, h, &A, sig + (ED25519_SIG_SIZE/2));
wolfSSL 7:481bce714567 270 if (ret != 0)
wolfSSL 7:481bce714567 271 return ret;
wolfSSL 7:481bce714567 272
wolfSSL 7:481bce714567 273 ge_tobytes(rcheck, &R);
wolfSSL 7:481bce714567 274 #endif /* FREESCALE_LTC_ECC */
wolfSSL 7:481bce714567 275
wolfSSL 7:481bce714567 276 /* comparison of R created to R in sig */
wolfSSL 7:481bce714567 277 ret = ConstantCompare(rcheck, sig, ED25519_SIG_SIZE/2);
wolfSSL 7:481bce714567 278 if (ret != 0)
wolfSSL 7:481bce714567 279 return SIG_VERIFY_E;
wolfSSL 7:481bce714567 280
wolfSSL 7:481bce714567 281 /* set the verification status */
wolfSSL 7:481bce714567 282 *stat = 1;
wolfSSL 7:481bce714567 283
wolfSSL 7:481bce714567 284 return ret;
wolfSSL 7:481bce714567 285 }
wolfSSL 7:481bce714567 286
wolfSSL 7:481bce714567 287 #endif /* HAVE_ED25519_VERIFY */
wolfSSL 7:481bce714567 288
wolfSSL 7:481bce714567 289
wolfSSL 7:481bce714567 290 /* initialize information and memory for key */
wolfSSL 7:481bce714567 291 int wc_ed25519_init(ed25519_key* key)
wolfSSL 7:481bce714567 292 {
wolfSSL 7:481bce714567 293 if (key == NULL)
wolfSSL 7:481bce714567 294 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 295
wolfSSL 7:481bce714567 296 XMEMSET(key, 0, sizeof(ed25519_key));
wolfSSL 7:481bce714567 297
wolfSSL 7:481bce714567 298 return 0;
wolfSSL 7:481bce714567 299 }
wolfSSL 7:481bce714567 300
wolfSSL 7:481bce714567 301
wolfSSL 7:481bce714567 302 /* clear memory of key */
wolfSSL 7:481bce714567 303 void wc_ed25519_free(ed25519_key* key)
wolfSSL 7:481bce714567 304 {
wolfSSL 7:481bce714567 305 if (key == NULL)
wolfSSL 7:481bce714567 306 return;
wolfSSL 7:481bce714567 307
wolfSSL 7:481bce714567 308 ForceZero(key, sizeof(ed25519_key));
wolfSSL 7:481bce714567 309 }
wolfSSL 7:481bce714567 310
wolfSSL 7:481bce714567 311
wolfSSL 7:481bce714567 312 #ifdef HAVE_ED25519_KEY_EXPORT
wolfSSL 7:481bce714567 313
wolfSSL 7:481bce714567 314 /*
wolfSSL 7:481bce714567 315 outLen should contain the size of out buffer when input. outLen is than set
wolfSSL 7:481bce714567 316 to the final output length.
wolfSSL 7:481bce714567 317 returns 0 on success
wolfSSL 7:481bce714567 318 */
wolfSSL 7:481bce714567 319 int wc_ed25519_export_public(ed25519_key* key, byte* out, word32* outLen)
wolfSSL 7:481bce714567 320 {
wolfSSL 7:481bce714567 321 /* sanity check on arguments */
wolfSSL 7:481bce714567 322 if (key == NULL || out == NULL || outLen == NULL)
wolfSSL 7:481bce714567 323 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 324
wolfSSL 7:481bce714567 325 if (*outLen < ED25519_PUB_KEY_SIZE) {
wolfSSL 7:481bce714567 326 *outLen = ED25519_PUB_KEY_SIZE;
wolfSSL 7:481bce714567 327 return BUFFER_E;
wolfSSL 7:481bce714567 328 }
wolfSSL 7:481bce714567 329
wolfSSL 7:481bce714567 330 *outLen = ED25519_PUB_KEY_SIZE;
wolfSSL 7:481bce714567 331 XMEMCPY(out, key->p, ED25519_PUB_KEY_SIZE);
wolfSSL 7:481bce714567 332
wolfSSL 7:481bce714567 333 return 0;
wolfSSL 7:481bce714567 334 }
wolfSSL 7:481bce714567 335
wolfSSL 7:481bce714567 336 #endif /* HAVE_ED25519_KEY_EXPORT */
wolfSSL 7:481bce714567 337
wolfSSL 7:481bce714567 338
wolfSSL 7:481bce714567 339 #ifdef HAVE_ED25519_KEY_IMPORT
wolfSSL 7:481bce714567 340 /*
wolfSSL 7:481bce714567 341 Imports a compressed/uncompressed public key.
wolfSSL 7:481bce714567 342 in the byte array containing the public key
wolfSSL 7:481bce714567 343 inLen the length of the byte array being passed in
wolfSSL 7:481bce714567 344 key ed25519 key struct to put the public key in
wolfSSL 7:481bce714567 345 */
wolfSSL 7:481bce714567 346 int wc_ed25519_import_public(const byte* in, word32 inLen, ed25519_key* key)
wolfSSL 7:481bce714567 347 {
wolfSSL 7:481bce714567 348 int ret;
wolfSSL 7:481bce714567 349
wolfSSL 7:481bce714567 350 /* sanity check on arguments */
wolfSSL 7:481bce714567 351 if (in == NULL || key == NULL)
wolfSSL 7:481bce714567 352 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 353
wolfSSL 7:481bce714567 354 if (inLen < ED25519_PUB_KEY_SIZE)
wolfSSL 7:481bce714567 355 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 356
wolfSSL 7:481bce714567 357 /* compressed prefix according to draft
wolfSSL 7:481bce714567 358 http://www.ietf.org/id/draft-koch-eddsa-for-openpgp-02.txt */
wolfSSL 7:481bce714567 359 if (in[0] == 0x40 && inLen > ED25519_PUB_KEY_SIZE) {
wolfSSL 7:481bce714567 360 /* key is stored in compressed format so just copy in */
wolfSSL 7:481bce714567 361 XMEMCPY(key->p, (in + 1), ED25519_PUB_KEY_SIZE);
wolfSSL 7:481bce714567 362 #ifdef FREESCALE_LTC_ECC
wolfSSL 7:481bce714567 363 /* recover X coordinate */
wolfSSL 7:481bce714567 364 ltc_pkha_ecc_point_t pubKey;
wolfSSL 7:481bce714567 365 pubKey.X = key->pointX;
wolfSSL 7:481bce714567 366 pubKey.Y = key->pointY;
wolfSSL 7:481bce714567 367 LTC_PKHA_Ed25519_PointDecompress(key->p, ED25519_PUB_KEY_SIZE, &pubKey);
wolfSSL 7:481bce714567 368 #endif
wolfSSL 7:481bce714567 369 return 0;
wolfSSL 7:481bce714567 370 }
wolfSSL 7:481bce714567 371
wolfSSL 7:481bce714567 372 /* importing uncompressed public key */
wolfSSL 7:481bce714567 373 if (in[0] == 0x04 && inLen > 2*ED25519_PUB_KEY_SIZE) {
wolfSSL 7:481bce714567 374 #ifdef FREESCALE_LTC_ECC
wolfSSL 7:481bce714567 375 /* reverse bytes for little endian byte order */
wolfSSL 7:481bce714567 376 for (int i = 0; i < ED25519_KEY_SIZE; i++)
wolfSSL 7:481bce714567 377 {
wolfSSL 7:481bce714567 378 key->pointX[i] = *(in + ED25519_KEY_SIZE - i);
wolfSSL 7:481bce714567 379 key->pointY[i] = *(in + 2*ED25519_KEY_SIZE - i);
wolfSSL 7:481bce714567 380 }
wolfSSL 7:481bce714567 381 XMEMCPY(key->p, key->pointY, ED25519_KEY_SIZE);
wolfSSL 7:481bce714567 382 ret = 0;
wolfSSL 7:481bce714567 383 #else
wolfSSL 7:481bce714567 384 /* pass in (x,y) and store compressed key */
wolfSSL 7:481bce714567 385 ret = ge_compress_key(key->p, in+1,
wolfSSL 7:481bce714567 386 in+1+ED25519_PUB_KEY_SIZE, ED25519_PUB_KEY_SIZE);
wolfSSL 7:481bce714567 387 #endif /* FREESCALE_LTC_ECC */
wolfSSL 7:481bce714567 388 return ret;
wolfSSL 7:481bce714567 389 }
wolfSSL 7:481bce714567 390
wolfSSL 7:481bce714567 391 /* if not specified compressed or uncompressed check key size
wolfSSL 7:481bce714567 392 if key size is equal to compressed key size copy in key */
wolfSSL 7:481bce714567 393 if (inLen == ED25519_PUB_KEY_SIZE) {
wolfSSL 7:481bce714567 394 XMEMCPY(key->p, in, ED25519_PUB_KEY_SIZE);
wolfSSL 7:481bce714567 395 #ifdef FREESCALE_LTC_ECC
wolfSSL 7:481bce714567 396 /* recover X coordinate */
wolfSSL 7:481bce714567 397 ltc_pkha_ecc_point_t pubKey;
wolfSSL 7:481bce714567 398 pubKey.X = key->pointX;
wolfSSL 7:481bce714567 399 pubKey.Y = key->pointY;
wolfSSL 7:481bce714567 400 LTC_PKHA_Ed25519_PointDecompress(key->p, ED25519_PUB_KEY_SIZE, &pubKey);
wolfSSL 7:481bce714567 401 #endif
wolfSSL 7:481bce714567 402 return 0;
wolfSSL 7:481bce714567 403 }
wolfSSL 7:481bce714567 404
wolfSSL 7:481bce714567 405 /* bad public key format */
wolfSSL 7:481bce714567 406 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 407 }
wolfSSL 7:481bce714567 408
wolfSSL 7:481bce714567 409
wolfSSL 7:481bce714567 410 /*
wolfSSL 7:481bce714567 411 For importing a private key and its associated public key.
wolfSSL 7:481bce714567 412 */
wolfSSL 7:481bce714567 413 int wc_ed25519_import_private_key(const byte* priv, word32 privSz,
wolfSSL 7:481bce714567 414 const byte* pub, word32 pubSz, ed25519_key* key)
wolfSSL 7:481bce714567 415 {
wolfSSL 7:481bce714567 416 int ret;
wolfSSL 7:481bce714567 417
wolfSSL 7:481bce714567 418 /* sanity check on arguments */
wolfSSL 7:481bce714567 419 if (priv == NULL || pub == NULL || key == NULL)
wolfSSL 7:481bce714567 420 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 421
wolfSSL 7:481bce714567 422 /* key size check */
wolfSSL 7:481bce714567 423 if (privSz < ED25519_KEY_SIZE || pubSz < ED25519_PUB_KEY_SIZE)
wolfSSL 7:481bce714567 424 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 425
wolfSSL 7:481bce714567 426 /* import public key */
wolfSSL 7:481bce714567 427 ret = wc_ed25519_import_public(pub, pubSz, key);
wolfSSL 7:481bce714567 428 if (ret != 0)
wolfSSL 7:481bce714567 429 return ret;
wolfSSL 7:481bce714567 430
wolfSSL 7:481bce714567 431 /* make the private key (priv + pub) */
wolfSSL 7:481bce714567 432 XMEMCPY(key->k, priv, ED25519_KEY_SIZE);
wolfSSL 7:481bce714567 433 XMEMCPY(key->k + ED25519_KEY_SIZE, key->p, ED25519_PUB_KEY_SIZE);
wolfSSL 7:481bce714567 434
wolfSSL 7:481bce714567 435 return ret;
wolfSSL 7:481bce714567 436 }
wolfSSL 7:481bce714567 437
wolfSSL 7:481bce714567 438 #endif /* HAVE_ED25519_KEY_IMPORT */
wolfSSL 7:481bce714567 439
wolfSSL 7:481bce714567 440
wolfSSL 7:481bce714567 441 #ifdef HAVE_ED25519_KEY_EXPORT
wolfSSL 7:481bce714567 442
wolfSSL 7:481bce714567 443 /*
wolfSSL 7:481bce714567 444 export private key only (secret part so 32 bytes)
wolfSSL 7:481bce714567 445 outLen should contain the size of out buffer when input. outLen is than set
wolfSSL 7:481bce714567 446 to the final output length.
wolfSSL 7:481bce714567 447 returns 0 on success
wolfSSL 7:481bce714567 448 */
wolfSSL 7:481bce714567 449 int wc_ed25519_export_private_only(ed25519_key* key, byte* out, word32* outLen)
wolfSSL 7:481bce714567 450 {
wolfSSL 7:481bce714567 451 /* sanity checks on arguments */
wolfSSL 7:481bce714567 452 if (key == NULL || out == NULL || outLen == NULL)
wolfSSL 7:481bce714567 453 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 454
wolfSSL 7:481bce714567 455 if (*outLen < ED25519_KEY_SIZE) {
wolfSSL 7:481bce714567 456 *outLen = ED25519_KEY_SIZE;
wolfSSL 7:481bce714567 457 return BUFFER_E;
wolfSSL 7:481bce714567 458 }
wolfSSL 7:481bce714567 459
wolfSSL 7:481bce714567 460 *outLen = ED25519_KEY_SIZE;
wolfSSL 7:481bce714567 461 XMEMCPY(out, key->k, ED25519_KEY_SIZE);
wolfSSL 7:481bce714567 462
wolfSSL 7:481bce714567 463 return 0;
wolfSSL 7:481bce714567 464 }
wolfSSL 7:481bce714567 465
wolfSSL 7:481bce714567 466 /*
wolfSSL 7:481bce714567 467 export private key, including public part
wolfSSL 7:481bce714567 468 outLen should contain the size of out buffer when input. outLen is than set
wolfSSL 7:481bce714567 469 to the final output length.
wolfSSL 7:481bce714567 470 returns 0 on success
wolfSSL 7:481bce714567 471 */
wolfSSL 7:481bce714567 472 int wc_ed25519_export_private(ed25519_key* key, byte* out, word32* outLen)
wolfSSL 7:481bce714567 473 {
wolfSSL 7:481bce714567 474 /* sanity checks on arguments */
wolfSSL 7:481bce714567 475 if (key == NULL || out == NULL || outLen == NULL)
wolfSSL 7:481bce714567 476 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 477
wolfSSL 7:481bce714567 478 if (*outLen < ED25519_PRV_KEY_SIZE) {
wolfSSL 7:481bce714567 479 *outLen = ED25519_PRV_KEY_SIZE;
wolfSSL 7:481bce714567 480 return BUFFER_E;
wolfSSL 7:481bce714567 481 }
wolfSSL 7:481bce714567 482
wolfSSL 7:481bce714567 483 *outLen = ED25519_PRV_KEY_SIZE;
wolfSSL 7:481bce714567 484 XMEMCPY(out, key->k, ED25519_PRV_KEY_SIZE);
wolfSSL 7:481bce714567 485
wolfSSL 7:481bce714567 486 return 0;
wolfSSL 7:481bce714567 487 }
wolfSSL 7:481bce714567 488
wolfSSL 7:481bce714567 489 /* export full private key and public key
wolfSSL 7:481bce714567 490 return 0 on success
wolfSSL 7:481bce714567 491 */
wolfSSL 7:481bce714567 492 int wc_ed25519_export_key(ed25519_key* key,
wolfSSL 7:481bce714567 493 byte* priv, word32 *privSz,
wolfSSL 7:481bce714567 494 byte* pub, word32 *pubSz)
wolfSSL 7:481bce714567 495 {
wolfSSL 7:481bce714567 496 int ret;
wolfSSL 7:481bce714567 497
wolfSSL 7:481bce714567 498 /* export 'full' private part */
wolfSSL 7:481bce714567 499 ret = wc_ed25519_export_private(key, priv, privSz);
wolfSSL 7:481bce714567 500 if (ret != 0)
wolfSSL 7:481bce714567 501 return ret;
wolfSSL 7:481bce714567 502
wolfSSL 7:481bce714567 503 /* export public part */
wolfSSL 7:481bce714567 504 ret = wc_ed25519_export_public(key, pub, pubSz);
wolfSSL 7:481bce714567 505
wolfSSL 7:481bce714567 506 return ret;
wolfSSL 7:481bce714567 507 }
wolfSSL 7:481bce714567 508
wolfSSL 7:481bce714567 509 #endif /* HAVE_ED25519_KEY_EXPORT */
wolfSSL 7:481bce714567 510
wolfSSL 7:481bce714567 511
wolfSSL 7:481bce714567 512 /* returns the private key size (secret only) in bytes */
wolfSSL 7:481bce714567 513 int wc_ed25519_size(ed25519_key* key)
wolfSSL 7:481bce714567 514 {
wolfSSL 7:481bce714567 515 if (key == NULL)
wolfSSL 7:481bce714567 516 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 517
wolfSSL 7:481bce714567 518 return ED25519_KEY_SIZE;
wolfSSL 7:481bce714567 519 }
wolfSSL 7:481bce714567 520
wolfSSL 7:481bce714567 521 /* returns the private key size (secret + public) in bytes */
wolfSSL 7:481bce714567 522 int wc_ed25519_priv_size(ed25519_key* key)
wolfSSL 7:481bce714567 523 {
wolfSSL 7:481bce714567 524 if (key == NULL)
wolfSSL 7:481bce714567 525 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 526
wolfSSL 7:481bce714567 527 return ED25519_PRV_KEY_SIZE;
wolfSSL 7:481bce714567 528 }
wolfSSL 7:481bce714567 529
wolfSSL 7:481bce714567 530 /* returns the compressed key size in bytes (public key) */
wolfSSL 7:481bce714567 531 int wc_ed25519_pub_size(ed25519_key* key)
wolfSSL 7:481bce714567 532 {
wolfSSL 7:481bce714567 533 if (key == NULL)
wolfSSL 7:481bce714567 534 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 535
wolfSSL 7:481bce714567 536 return ED25519_PUB_KEY_SIZE;
wolfSSL 7:481bce714567 537 }
wolfSSL 7:481bce714567 538
wolfSSL 7:481bce714567 539 /* returns the size of signature in bytes */
wolfSSL 7:481bce714567 540 int wc_ed25519_sig_size(ed25519_key* key)
wolfSSL 7:481bce714567 541 {
wolfSSL 7:481bce714567 542 if (key == NULL)
wolfSSL 7:481bce714567 543 return BAD_FUNC_ARG;
wolfSSL 7:481bce714567 544
wolfSSL 7:481bce714567 545 return ED25519_SIG_SIZE;
wolfSSL 7:481bce714567 546 }
wolfSSL 7:481bce714567 547
wolfSSL 7:481bce714567 548 #endif /* HAVE_ED25519 */
wolfSSL 7:481bce714567 549
wolfSSL 7:481bce714567 550